Email Authentication Frameworks: Truthiness
A few weeks ago, my boss asked for my opinion on an article by Dan Kaplan of SC Magazine titled Keeping A Secret, published 3/9/2008 (yes, awhile ago). The article discusses the larger problem of authenticating email senders, and specifically the TSCP (Transglobal Secure Collaboration Program) framework. It was a great opportunity to step back and contemplate the fundamental concerns and drawbacks of authenticating email. I'm sharing my sanitized thoughts here for the consumption of others, as I think these issues are shared amongst security practitioners everywhere - whether it's called TSCP, TEOS [pdf] (Microsoft's Trusted Email "Open" Standard), or something else.
First, a brief bit about TSCP. From their website, TSCP "engenders a common framework for secure collaboration and sharing of sensitive information in international defence and aerospace programs." It is a partnership, not so much an organization or industry trade group. The group has released secure email specifications [pdf] designed to help address the identity management problems inherent in email, somewhat as an implementation of Homeland Security Presidential Directive 12 (HSPD-12), Policy for a Common Identification Standard for Federal Employees and Contractors.
Enough boring govvie crap, though, let's get on to an analysis of the article and some critical thinking about the claims of the proponents of this and other related systems.
The two sources Kaplan uses to set the tone of this article are Northrop Grumman's Keith Ward, who frames the problem of email authentication, and Amit Yoran (NetWitness CEO & former Bush administration cybersecurity chief), who acts as a professional opinion source on TSCP. Keith does a good job of boiling down the problem we face with targeted, forged emails, and to a certain extent how they've impacted the DoD and its contractors. However, the extent to which TSCP - and indeed any email authentication framework - addresses this problem is greatly exaggerated by Yoran. He even claims the standard "helps remove entire categories of problems that plague us like spear phishing." This is simply not true. The article goes on to cheerlead TSCP as addressing everything from green initiatives to terrorism - weak claims that are clearly hyperbole.
TSCP will provide a higher level of confidence in recipients that the sender of an email from a participating member is authentic. The meat of the article really focuses around Yoran's quote above; however, there are two fundamental problems with the assertion that an email authentication framework (let's assume TSCP is flawlessly implemented) will solve whole categories of problems like spear phishing:
1 It is inconceivable that there will be any situation where all email correspondence for an account holder will be subject to this framework. Wherever there is professional correspondence, there is opportunity for spear phishing. Even where there is casual correspondence, that opportunity exists. To wit, I have seen targeted email campaigns that spoof personal correspondents as senders (scary, huh?). Any broadcast emails that come from a shared or anonymous address will not fit into such a framework. These are common, especially for announcements on contracts from the government (BAA's), mailing lists, etc.
2 The security of the system presupposes that all credentials are secure. If any credentials are compromised, this trust system fails, and phishing is not only possible using the compromised credentials, but it stands to be far more effective as the sender is "trusted." The framework provides a quick and effective response in such situations - revoking the credentials - that isn't available in classic email correspondence, but in the interim all other participants are exposed. To that end, the approach suffers from a painful paradox: the larger the system, the more useful it is and the more participation will grow. But as the system grows larger, the likelihood that some credentials will be compromised at any given time grows with it, putting us right back at square one.
All of this isn't to say that TSCP or similar frameworks are impossibly flawed to the point of being useless. Such systems do raise the bar for adversaries, making some of their approaches less tractable. Expectations should be tempered, however, and investments in them should reflect their true benefits as a real implementation. Users should also realize that strange behavior is strange behavior, even within a trusted framework.
For a long time I have been working on an entry covering identity management more broadly (and philosophically); stay tuned, maybe I'll finish it one day.